What is email fraud?

Email fraud is a type of scam that uses email to trick victims into revealing personal information or transferring funds to fraudulent accounts.

Learning Objectives

After reading this article you will be able to:

  • Define email fraud
  • Understand how email fraud works
  • Learn ways to identify and prevent email fraud

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is email fraud?

Email fraud refers to a variety of scams and malicious activities that are carried out through email. These attacks can range from simple advance-fee scams targeting unsuspecting individuals, to sophisticated business email compromise (BEC) attacks that aim to trick large accounting departments into paying fraudulent invoices. Email fraud attackers often use social engineering tactics, such as posing as a trusted authority figure or using urgent or emotionally charged language, to manipulate their victims into taking action detrimental to themselves or their organization.

What is an example of email fraud?

There are many examples of email fraud, but one of the most notorious examples is the advanced fee scam or the “Foreign Prince” email. In this scam, an individual posing as a wealthy prince promises to transfer a large sum of money to the victim’s account in exchange for a small upfront payment or transfer fee. Once the payment is made, the promised funds never materialize.

This scam has been around for centuries. Its origin can be traced back to the late 1800s, when it was known as the Spanish Prisoner scam. In this version, a con artist would contact victims claiming to be helping a wealthy Spanish prisoner escape, and promising a reward in exchange for a guard bribe fee.

The scam has evolved and will continue to evolve, but its underlying principle remains: promising something for nothing while taking advantage of people’s vulnerabilities.

What is the purpose of email fraud?

Email fraud is a dangerous practice that has become increasingly common in today’s digital age. Attackers’ primary goal is typically to steal money or personal data — or both. They use a variety of tactics, such as phishing emails and scams, to trick victims into divulging sensitive information or transferring funds to fraudulent accounts. The effects of email fraud can be significant, ranging from financial losses to identify theft and reputational damage.

How do you spot email fraud?

Email fraud can be tricky to spot, but common signals can include:

  • The message does not pass email authentication checks. Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) can be used to authenticate the origin of an email. If an email does not pass one of these checks, it may be fraudulent.
  • Engineered urgency or time limit. Another sign to watch out for is urgent or threatening language, such as insisting that the victim must take immediate action to avoid negative consequences. Attackers often use fear tactics to get victims to act quickly without thinking.
  • Errors, errors, errors. The body of the email is full of errors, such as poor grammar, spelling mistakes, and incorrect sentence structure.

Although these are some common signs of an email scam, attackers have become increasingly sophisticated over time and have learned to craft convincing emails that are hard to detect.In particular, the increased availability of powerful machine-learning chatbots has enabled attackers to generate error-free email text at a higher rate than before.

How can businesses stop email fraud?

Email fraud is here to stay, and cannot be eliminated completely by awareness training programs. However, there are several best practices and email security techniques that can help decrease the chances of a successful email fraud attack.

  • Evaluate emails for suspicious signs. This includes looking closely at email headers, sender names, or email addresses. Additionally, the body of the email may include attachments or links that could lead to malware or other malicious links. As a general rule, always err on the side of caution when opening emails, even if they appear to be legitimate.
  • Do not share personal information through email. Personal information includes social security numbers, bank account information, and passwords.
  • Block spam. Many email providers have built-in spam filters, but third-party filtering services can provide additional or more comprehensive protection. Other techniques to block spam include unsubscribing from mailing lists or newsletters and keeping email addresses private.
  • Build in email security protocols. Email authentication tools like SPF, DKIM, and DMARC can help verify the source of an email. Domain owners can configure these to make it difficult for attackers to impersonate their domain in a domain spoofing attack.
  • Use a browser isolation service. Browser isolation technologies isolate and execute browser content away from local devices, protecting organizations from malicious scripts and dangerous downloads.
  • Filter traffic with a secure web gateway. A secure web gateway (SWG) can be configured to prevent users from downloading files or sharing sensitive data. SWG inspects data and traffic for known malware and then blocks emails according to a predefined set of security policies.
  • Identify email fraud campaigns in advance. Some email security providers are able to detects and blocks email fraud. It proactively scans the Internet for attack infrastructure and campaigns, uncovers email fraud attempts, and provides visibility into compromised email accounts and domains. Learn more about stopping email fraud with Cloudflare Email Security.